These software bugs are years old. But businesses still aren't patching them

Many organisations still haven't applied security patches issued years ago, putting them at risk from common cyberattacks.
Written by Danny Palmer, Senior Writer

Almost two-thirds of vulnerabilities on enterprise networks involve flaws that are over two years old that have not been patched, despite fixes being available. This lack of patching is putting businesses at risk of attacks that could often be easily avoided if security updates were applied.

Analysis by Bitdefender found that 64% of all reported unpatched vulnerabilities during the first half of 2020 involve known bugs dating from 2018 and previous years, which means organisations are at risk from flaws that somebody should have fixed a long time ago.

"The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018," the report said.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Applying patches can be time-consuming, tedious and unrewarding work. For cyber criminals, unpatched vulnerabilities provide a simple way to deploy cyberattacks and malware. But while businesses and users are encouraged to apply security patches to operating systems and software as soon as possible, the figures in Bitdefender's 2020 Business Threat Landscape Report suggests that some organisations are still slow to apply them.

"With organizations having most of their workforce remote, setting and deploying patching policies has never been more crucial. With six in 10 organizations having machines with unpatched vulnerabilities that are older than 2018, the risks of having those vulnerabilities exploited by threat actors are higher than ever," the report warned.

In some cases, organisations don't apply security patches because they fear it could have a negative impact on how they run their systems – and, therefore, they run the risk of a cyberattack instead.

"Backward compatibility plays a vital role in deciding whether or not some applications should be patched. For example, patching or upgrading an application or service could break compatibility with other software that could be mission-critical for the organization. In this case, not patching could be less of a security decision but more of a business decision," Liviu Arsene, global cybersecurity researcher at Bitdefender, told ZDNet.

By having a good knowledge of what the network looks like and having a plan to apply patches organisations can go a long way to protecting themselves from falling victim to cyberattacks designed to take advantage of known vulnerabilities.

SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users

"Having a patching policy and roll-out procedure in place is always the best solution for addressing known vulnerabilities," said Arsene.

"Systems that are mission-critical but cannot be patched for backward-compatibility or business-continuity reasons should be isolated and access to them tightly regulated," he added.


Editorial standards